Which combination of actions needs to be taken to create a multi-account structure that meets the company’s requirements?
(Choose three.)
Create accounts for each production workload within an organization in AWS Organizations. Place the production accounts within an organizational unit (OU). For each account, delete the default VPC. Create an SCP with a Deny rule for the attach an internet gateway and create a default VPC actions. Attach the SCP to the OU for the production accounts.
Create accounts for each production workload within an organization in AWS Organizations. Place the production accounts within an organizational unit (OU). Create an SCP with a Deny rule on the attach an internet gateway action. Create an SCP with a Deny rule to prevent use of the default VPC. Attach the SCPs to the OU for the production accounts.
Create a SCP containing a Deny Effect for cloudfront:*, iam:*, route53:*, and support:* with a StringNotEquals condition on an aws:RequestedRegion condition key with us-west-2 and eu-central-1 values. Attach the SCP to the organization’s root.
Create an IAM permission boundary containing a Deny Effect for cloudfront:*, iam:*, route53:*, and support:* with a StringNotEquals condition on an aws:RequestedRegion condition key with us-west-2 and eu-central-1 values. Attach the permission boundary to an IAM group containing the development and production users.
Create accounts for each development workload within an organization in AWS Organizations. Place the development accounts within an organizational unit (OU). Create a custom AWS Config rule to deactivate all IAM users when an account’s monthly bill exceeds $500.
Create accounts for each development workload within an organization in AWS Organizations. Place the development accounts within an organizational unit (OU). Create a budget within AWS Budgets for each development account to monitor and report on monthly spending exceeding $500.
Explanations:
This correctly addresses the production internet access requirement. Deleting the default VPC and using an SCP to deny attaching internet gateways and creating default VPCs ensures that production accounts cannot have internet access directly.
While denying theec2:AttachInternetGatewayaction is correct, an SCP cannot deny the creation of the default VPC. The default VPC is created automatically upon account creation. Deleting the default VPC is the correct approach.
This SCP correctly restricts all accounts in the organization (due to being attached to the root) to only using the us-west-2 and eu-central-1 Regions. The use ofStringNotEqualswith theaws:RequestedRegioncondition key and a list of allowed Regions is the proper way to enforce Regional restrictions with SCPs. The services listed are not needed for development and are restricted.
Permission boundaries set themaximumpermissions that an IAM entity can have. They do not prevent actions in the same way that SCPs do. A user could still create resources in other Regions if their IAM policies allow it, even with a permission boundary in place. SCPs are the correct mechanism for enforcing organizational-level restrictions like Regional limitations.
Deactivating IAM users based on spending is a drastic measure and not a good practice. It would completely lock out developers, preventing them from even monitoring or managing their resources. A budget with notifications is a more appropriate approach.
AWS Budgets allows you to set spending thresholds and receive notifications when those thresholds are exceeded. This is the correct way to monitor and alert on spending in development accounts.